Managing IAM access, API keys, trusted profiles, service IDs, and access groups (ibmcloud iam)

Command options

--uuid

Show UUID of service IDs only.

Examples

List UUID of all service IDs under current account:

ibmcloud iam service-ids --uuid

Command options

NAME (required)

Name of the service, exclusive with UUID.

UUID (required)

UUID of the service, exclusive with NAME.

--uuid

Display the UUID of the service ID.

Examples

Show details of service ID sample-test:

ibmcloud iam service-id sample-test

Show details of service ID ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976:

ibmcloud iam service-id ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976

Command options

NAME (required)

Name of the service.

-d, --description

Description of the service ID.

--lock

Lock the service ID during creation.

Examples

Create a service ID with service name sample-test and description hello, world!:

ibmcloud iam service-id-create sample-test -d 'hello, world!'

Create a locked service ID with service name sample-test and description hello, world!:

ibmcloud iam service-id-create sample-test -d 'hello, world!' --lock

Command options

NAME (required)

Name of the service, exclusive with UUID.

UUID (required)

UUID of the service, exclusive with NAME.

-n, --name

New name of the service.

-d, --description

New description of the service.

-f, --force

Update without confirmation.

Examples

Rename service ID sample-test to sample-test-2 without confirmation:

ibmcloud iam service-id-update sample-test -n sample-test-2 -f

Update description of the service sample-test:

ibmcloud iam service-id-update sample-test -d 'hello, friend!'

Rename service ID ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976 to sample-test-3 with new description:

ibmcloud iam service-id-update ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976 -n sample-test-3 -d 'hello, my friends!'

Command options

NAME (required)

Name of the service, exclusive with UUID.

UUID (required)

UUID of the service, exclusive with NAME.

-f, --force

Delete without confirmation.

Examples

Delete service ID sample-teset without confirmation:

ibmcloud iam service-id-delete sample-teset -f

Delete service ID ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976:

ibmcloud iam service-id-delete ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976

Command options

NAME (required)

Name of the service, exclusive with UUID.

UUID (required)

UUID of the service, exclusive with NAME.

-f, --force

Lock without confirmation.

Examples

Lock service ID sample-teset without confirmation:

ibmcloud iam service-id-lock sample-teset -f

Lock service ID ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976:

ibmcloud iam service-id-lock ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976

Command options

NAME (required)

Name of the service, exclusive with UUID.

UUID (required)

UUID of the service, exclusive with NAME.

-f, --force

Unlock without confirmation.

Examples

Unlock service ID sample-teset without confirmation:

ibmcloud iam service-id-unlock sample-teset -f

Unlock service ID ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976:

ibmcloud iam service-id-unlock ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976

Command options

--uuid

Show the UUID of the API key.

Command options

NAME (required)

Name of the API key to be created.

-d DESCRIPTION (optional)

Description of the API key.

--file FILE

Save API key information to the specified file.

--action-if-leaked value

The action to take if the key is leaked, can be "NONE", "DISABLE", or "DELETE". The default is "Disable".

--lock

Lock the API key when it is created.

Examples

Create an API key and save it to a file:

ibmcloud iam api-key-create MyKey -d "this is my API key" --file key_file

Create a locked API key with name "test-key":

ibmcloud iam api-key-create test-key --lock

Command options

NAME (required)

The old name of the API key to be updated, exclusive with UUID.

UUID (required)

The UUID of the API key to be updated, exclusive with NAME.

-n NAME (optional)

The new name of the API key.

-d DESCRIPTION (optional)

The new description of the API key.

--action-if-leaked value

The action to take if the key is leaked, can be "NONE", "DISABLE", or "DELETE". The default is "Disable"

Examples

Update the description of an API key:

ibmcloud iam api-key-update MyKey -d "the new description of my key"

The iam-identity.apikey.manage privilege is required for the account when the NAME and UUID command options are used. For more information, see Managing user API keys and IAM Identity Service.

Command options

NAME (required)

Name of the API key to be deleted, exclusive with UUID.

UUID (required)

UUID of the API key to be deleted, exclusive with NAME.

-f, --force

Force deletion without confirmation.

Command options

NAME (required)

The name of the API key to be locked, exclusive with UUID.

UUID (required)

UUID of the API key to be locked, exclusive with NAME.

-f, --force

Force lock without confirmation.

Examples

Lock API key test-api-key:

ibmcloud iam api-key-lock test-api-key

Lock API key with given UUID without confirmation:

ibmcloud iam api-key-lock ApiKey-18f773b0-db53-43f1-ad68-92c667c218fe --force

Command options

NAME (required)

The name of the API key to be unlocked, exclusive with UUID.

UUID (required)

The UUID of the API key to be unlocked, exclusive with NAME.

-f, --force

Unlock an API key without confirmation.

Examples

Unlock API key test-api-key:

ibmcloud iam api-key-unlock test-api-key

Unlock API key with given UUID without confirmation:

ibmcloud iam api-key-unlock ApiKey-18f773b0-db53-43f1-ad68-92c667c218fe --force

Command options

NAME (required)

The name of the API key to be disabled, exclusive with UUID.

UUID (required)

The UUID of the API key to be disabled, exclusive with NAME.

-f, --force

Force disable without confirmation.

Examples

Disable an API key test-api-key:

ibmcloud iam api-key-disable test-api-key

Disable an API key with given UUID without confirmation:

ibmcloud iam api-key-disable ApiKey-18f773b0-db53-43f1-ad68-92c667c218fe --force

Command options

NAME (required)

The name of the API key to be enabled, exclusive with UUID.

UUID (required)

The UUID of the API key to be enabled, exclusive with NAME.

-f, --force

Force enable without confirmation.

Examples

Enable API key test-api-key:

ibmcloud iam api-key-enable test-api-key

Enable API key with given UUID without confirmation:

ibmcloud iam api-key-enable ApiKey-18f773b0-db53-43f1-ad68-92c667c218fe --force

Command options

-a, --all

Display all API keys that are associated with all services.

SERVICE_ID_NAME (required)

The name of the service ID, exclusive with SERVICE_ID_UUID.

SERVICE_ID_UUID (required)

The UUID of the service ID, exclusive with SERVICE_ID_NAME.

-f, --force

Display service API keys without confirmation.

Examples

List all API keys of the service sample-service:

ibmcloud iam service-api-keys sample-service

Command options

APIKEY_NAME (required)

Name of the API key, exclusive with APIKEY_UUID.

APIKEY_UUID (required)

UUID of the API key, exclusive with APIKEY_NAME.

SERVICE_ID_NAME (required)

Name of the service ID, exclusive with SERVICE_ID_UUID.

SERVICE_ID_UUID (required)

UUID of the service ID, exclusive with SERVICE_ID_NAME.

--uuid

Display the UUID of the service API key.

-f, --force

Display service API key without confirmation.

Examples

Show details of service API key sample-key of service sample-service:

ibmcloud iam service-api-key sample-key sample-service

Command options

NAME (required)

Name of the service ID or newly created service API key.

SERVICE_ID_NAME (required)

Name of the service ID, exclusive with SERVICE_ID_UUID.

SERVICE_ID_UUID (required)

UUID of the service ID, exclusive with SERVICE_ID_NAME.

-d, --description

Description of the API key.

--file FILE

Save API key information to the specified file.

--action-if-leaked value

The action to take if the key is leaked. The options are "NONE", "DISABLE", or "DELETE". The default option is "Disable".

-f, --force

Force creation without confirmation.

Examples

Create a service API key sample-key for service sample-service without confirmation:

ibmcloud iam service-api-key-create sample-key sample-service -f

Command options

APIKEY_NAME (required)

Name of the API key, exclusive with APIKEY_UUID.

APIKEY_UUID (required)

UUID of the API key, exclusive with APIKEY_NAME.

SERVICE_ID_NAME (required)

Name of the service ID, exclusive with SERVICE_ID_UUID.

SERVICE_ID_UUID (required)

UUID of the service ID, exclusive with SERVICE_ID_NAME.

-n, --name

The new name of the service API key.

-d, --description

The new description of the service API key.

--action-if-leaked value

The action to take if the key is leaked, can be "NONE", "DISABLE", or "DELETE". The default is "Disable".

-f, --force

Update without confirmation.

Examples

Rename the service API key sample-key to new-sample-key:

ibmcloud iam service-api-key-update sample-key sample-service -n new-sample-key

Command options

APIKEY_NAME (required)

Name of the API key, exclusive with APIKEY_UUID.

APIKEY_UUID (required)

UUID of the API key, exclusive with APIKEY_NAME.

SERVICE_ID_NAME (required)

Name of the service ID, exclusive with SERVICE_ID_UUID.

SERVICE_ID_UUID (required)

UUID of the service ID, exclusive with SERVICE_ID_NAME.

-f, --force

Delete without confirmation.

Examples

Delete service API key sample-key of service ID sample-service:

ibmcloud iam service-api-key-delete sample-key sample-service

Command options

APIKEY_NAME (required)

Name of the API key, exclusive with APIKEY_UUID.

APIKEY_UUID (required)

UUID of the API key, exclusive with APIKEY_NAME.

SERVICE_ID_NAME (required)

Name of the service ID, exclusive with SERVICE_ID_UUID.

SERVICE_ID_UUID (required)

UUID of the service ID, exclusive with SERVICE_ID_NAME.

-f, --force

Lock without confirmation.

Examples

Lock service API key sample-key of service ID sample-service:

ibmcloud iam service-api-key-lock sample-key sample-service

Command options

APIKEY_NAME (required)

Name of the API key, exclusive with APIKEY_UUID.

APIKEY_UUID (required)

UUID of the API key, exclusive with APIKEY_NAME.

SERVICE_ID_NAME (required)

Name of the service ID, exclusive with SERVICE_ID_UUID.

SERVICE_ID_UUID (required)

UUID of the service ID, exclusive with SERVICE_ID_NAME.

-f, --force

Unlock without confirmation.

Examples

Unlock service API key sample-key of service ID sample-service:

ibmcloud iam service-api-key-unlock sample-key sample-service

Command options

APIKEY_NAME (required)

The name of the API key, exclusive with APIKEY_UUID.

APIKEY_UUID (required)

The UUID of the API key, exclusive with APIKEY_NAME.

SERVICE_ID_NAME (required)

The name of the service ID, exclusive with SERVICE_ID_UUID.

SERVICE_ID_UUID (required)

The UUID of the service ID, exclusive with SERVICE_ID_NAME.

-f, --force

Disable without confirmation.

Examples

Disable service API key sample-key of service ID sample-service:

ibmcloud iam service-api-key-disable sample-key sample-service

Command options

APIKEY_NAME (required)

The name of the API key, exclusive with APIKEY_UUID.

APIKEY_UUID (required)

The UUID of the API key, exclusive with APIKEY_NAME.

SERVICE_ID_NAME (required)

The name of the service ID, exclusive with SERVICE_ID_UUID.

SERVICE_ID_UUID (required)

The UUID of the service ID, exclusive with SERVICE_ID_NAME.

-f, --force

Enable without confirmation.

Examples

Enable service API key sample-key of service ID sample-service:

ibmcloud iam service-api-key-enable sample-key sample-service

Command options

USER_NAME (required)

User name to whom the policies belong.

Examples

List policies of user name@example.com:

ibmcloud iam user-policies name@example.com

Command options

USER_NAME (required)

User name to whom the policy belongs.

POLICY_ID (required)

ID of the policy.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

--api-version

Version of the access policy API.

Examples

List policy 0bb730daa of user name@example.com:

ibmcloud iam user-policy name@example.com 0bb730daa

Command options

USER_NAME (required)

Username to whom the policy belongs.

--file FILE (optional)

JSON file of policy definition. You can use advanced operators in a JSON policy document to grant access to resources that satisfy specific naming conventions. For more information about using advanced operators to create wildcard policies, see Assigning access by using wildcard policies.

--roles ROLE_NAME1,ROLE_NAME2... (optional)

Role names of the policy definition. For supported roles of a specific service, run ibmcloud iam roles --service SERVICE_NAME. This option is exclusive with the --file option.

--service-name SERVICE_NAME (optional)

Service name of the policy definition. This option is exclusive with the --file option.

--service-instance SERVICE_INSTANCE_GUID (optional)

GUID of service instance of the policy definition. This option is exclusive with the --file option.

--region REGION (optional)

Region of the policy definition. This option is exclusive with the --file option.

--resource-type RESOURCE_TYPE (optional)

Resource type of the policy definition. This option is exclusive with the --file option.

--resource RESOURCE (optional)

Resource of the policy definition. This option is exclusive with the --file option.

--resource-group-name RESOURCE_GROUP_NAME (optional)

Name of the resource group. * means all resource groups. This option is exclusive with the --file, --resource and --resource-group-id options.

--resource-group-id RESOURCE_GROUP_ID (optional)

ID of the resource group. * means all resource groups. This option is exclusive with the --file, --resource and --resource-group-name options.

--account-management (optional)

Give access to all account management services.

--attributes name=value,name=value...

Set resource attributes in the form of name=value,name=value....

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

--api-version

Version of the access policy API.

Examples

Create user policy for user name@example.com from policy JSON file policy.json:

ibmcloud iam user-policy-create name@example.com --file @policy.json

Give name@example.com Administrator role for all instances of sample-service service:

ibmcloud iam user-policy-create name@example.com --roles Administrator --service-name sample-service

Give name@example.com Editor role and a custom role Responder for all instances of sample-service service:

ibmcloud iam user-policy-create name@example.com --roles Editor,Responder --service-name sample-service

Give name@example.com Editor role for resource key123 of sample service instance with GUID d161aeea-fd02-40f8-a487-df1998bd69a9 in us-south region:

ibmcloud iam user-policy-create name@example.com --roles Editor --service-name sample-service --service-instance d161aeea-fd02-40f8-a487-df1998bd69a9 --region us-south --resource-type key --resource key123

Give name@example.com Operator role for resource group with ID dda27e49d2a1efca58083a01dfde18f6:

ibmcloud iam user-policy-create name@example.com --roles Operator --resource-type resource-group --resource dda27e49d2a1efca58083a01dfde18f6

Give name@example.com Viewer role for the members of the resource group sample-resource-group:

ibmcloud iam user-policy-create name@example.com --roles Viewer --resource-group-name sample-resource-group

Give name@example.com Viewer role for the members of the resource group with ID dda27e49d2a1efca58083a01dfde18f6:

ibmcloud iam user-policy-create name@example.com --roles Viewer --resource-group-id dda27e49d2a1efca58083a01dfde18f6

Give name@example.com Viewer role for service is resources with attribute instanceId equal to *:

ibmcloud iam user-policy-create name@example.com --roles Viewer --service-name is --attributes "instanceId=*"

Command options

USER_NAME (required)

Username to whom the policy belongs.

POLICY_ID (required)

ID of the policy to update. --file FILE (optional)

JSON file of policy definition.

--roles ROLE_NAME1,ROLE_NAME2... (Optional)

Role names of the policy definition. For supported roles of a specific service, run ibmcloud iam roles --service SERVICE_NAME option. This option is exclusive with the --file option.

--service-name SERVICE_NAME (optional)

Service name of the policy definition. This option is exclusive with the --file option.

--service-instance SERVICE_INSTANCE_GUID (optional)

GUID of service instance of the policy definition. This option is exclusive with the --file option.

--region REGION (optional)

Region of the policy definition. This option is exclusive with the --file option.

--resource-type RESOURCE_TYPE (optional)

Resource type of the policy definition. This option is exclusive with the --file option.

--resource RESOURCE (optional)

Resource of the policy definition. This option is exclusive with the --file option.

--resource-group-name RESOURCE_GROUP_NAME (optional)

Name of the resource group. * means all resource groups. This option is exclusive with the --file, --resource and --resource-group-id options.

--resource-group-id RESOURCE_GROUP_ID (optional)

ID of the resource group. * means all resource groups. This option is exclusive with the --file, --resource and --resource-group-name options.

--account-management (optional)

Give access to all account management services.

--attributes name=value,name=value...

Set resource attributes in the form of 'name=value,name=value....'

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

--api-version

Version of the access policy API.

Examples

Update user policy with the one in JSON file：

ibmcloud iam user-policy-update name@example.com 0bb730daa --file @policy.json

Update user policy to give name@example.com Administrator role for all instances of sample-service service：

ibmcloud iam user-policy-update name@example.com user-policy-id --roles Administrator --service-name sample-service

Update user policy to give name@example.com Editor role and a custom role Responder for all instances of sample-service service：

ibmcloud iam user-policy-update name@example.com user-policy-id --roles Editor,Responder --service-name sample-service

Update user policy to give name@example.com Editor role for resource key123 of sample service instance with GUID d161aeea-fd02-40f8-a487-df1998bd69a9 in us-south region:

ibmcloud iam user-policy-update name@example.com --roles Editor --service-name sample-service --service-instance d161aeea-fd02-40f8-a487-df1998bd69a9 --region us-south --resource-type key --resource key123

Update user policy to give name@example.com Operator role for resource group with ID dda27e49d2a1efca58083a01dfde18f6:

ibmcloud iam user-policy-update name@example.com user-policy-id --roles Operator --resource-type resource-group --resource dda27e49d2a1efca58083a01dfde18f6

Update user policy to give name@example.com Viewer role for members of the resource group sample-resource-group:

ibmcloud iam user-policy-update name@example.com user-policy-id --roles Viewer --resource-group-name sample-resource-group

Update user policy to give name@example.com Viewer role for members of a resource group with ID dda27e49d2a1efca58083a01dfde18f6:

ibmcloud iam user-policy-update name@example.com user-policy-id --roles Viewer --resource-group-id dda27e49d2a1efca58083a01dfde18f6

Update user policy to give name@example.com Viewer role for service is resources with attribute instance equal to *:

ibmcloud iam user-policy-update name@example.com user-policy-id --roles Viewer --service-name is --attributes "instanceId=*"

Command options

-f, --force

Delete user policy without confirmation.

-q, --quiet

Suppress verbose output.

--api-version

Version of the access policy API.

Examples

Delete policies user-policy-id of user name@example.com:

ibmcloud iam user-policy-delete name@example.com user-policy-id

Delete policies user-policy-id of user name@example.com without confirmation:

ibmcloud iam user-policy-delete name@example.com user-policy-id -f

Command options

SERVICE_ID (required)

Name or UUID of service ID.

-f, --force (optional)

Display service policies without confirmation.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

--api-version

Version of the access policy API.

Examples

List policies of service test:

ibmcloud iam service-policies test

List policies of service ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976:

ibmcloud iam service-policies ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976

Command options

SERVICE_ID (required)

Name or UUID of service ID.

POLICY_ID (required)

ID of the service policy.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-f, --force (optional)

Display service policy without confirmation.

-q, --quiet

Suppress verbose output.

--api-version

Version of the access policy API.

Examples

Show policy 140798e2-8ea7db3 of service test:

ibmcloud iam service-policies test 140798e2-8ea7db3

Show policy 140798e2-8ea7db3 of service ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976:

ibmcloud iam service-policies ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976 140798e2-8ea7db3

Command options

SERVICE_ID (required)

Name or UUID of service ID.

--file

JSON file of policy definition. This option is exclusive with the -r, --roles, --service-name, --service-instance, --region, --resource-type, --resource, --resource-group-name and --resource-group-id options. You can use advanced operators in a JSON policy document to grant access to resources that satisfy specific naming conventions. For more information about using advanced operators to create wildcard policies, see Assigning access by using wildcard policies.

-r, --roles

Role names of the policy definition. For supported roles of a specific service, run ibmcloud iam roles --service SERVICE_NAME option. This option is exclusive with the --file option.

--service-name

Service name of the policy definition. This option is exclusive with the --file option.

--service-instance SERVICE_INSTANCE_GUID

GUID of service instance of the policy definition. This option is exclusive with the --file option.

-region

Region of the policy definition. This option is exclusive with the --file option.

--resource-type

Resource type of the policy definition. This option is exclusive with the --file option.

--resource

Resource of the policy definition. This option is exclusive with the --file option.

--resource-group-name

Name of the resource group. * means all resource groups. This option is exclusive with the --file and --resource-group-id options.

--resource-group-id

ID of the resource group. * means all resource groups. This option is exclusive with the --file and --resource-group-name options.

--account-management (optional)

Give access to all account management services.

--account-management (optional)

Give access to all account management services.

--attributes name=value,name=value...

Set resource attributes in the form of 'name=value,name=value....'

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

-f, --force

Create a service policy without confirmation.

--api-version

Version of the access policy API.

Examples

Create service policy from JSON file for service test:

ibmcloud iam service-policy-create test --file @policy.json

Create service policy from JSON file for service ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976:

ibmcloud iam service-policy-create ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976 --file @policy.json

Grant service test the Administrator role for all account management services:

ibmcloud iam service-policy-create test --roles Administrator --account-management

Grant service test the Viewer role for all resources in account:

ibmcloud iam service-policy-create test --roles Viewer

Grant service test the Viewer role and a custom role Responder for all sample service instances in the account:

ibmcloud iam service-policy-create test --roles Viewer,Responder --service-name sample

Give service test the Viewer role for service is resources with attribute instanceId equal to *:

ibmcloud iam service-policy-create sample-service --roles Viewer --service-name is --attributes "instanceId=*"

Command options

SERVICE_ID (required)

Name or UUID of service ID.

POLICY_ID (required)

ID of the service policy.

--file

JSON file of policy definition. This option is exclusive with the -r, --roles, --service-name, --service-instance, --region, --resource-type, --resource, resource-group-name, and resource-group-id options.

-r, --roles

Role names of the policy definition. For supported roles of a specific service, run ibmcloud iam roles --service SERVICE_NAME. This option is exclusive with the --file.

-service-name

Service name of the policy definition. This option is exclusive with the --file option.

-service-instance SERVICE_INSTANCE_GUID

GUID of service instance of the policy definition. This option is exclusive with the --file option.

-region

Region of the policy definition. This option is exclusive with the --file option.

-resource-type

Resource type of the policy definition. This option is exclusive with the --file option.

-resource

Resource of the policy definition. This option is exclusive with the --file option.

--resource-group-name

Name of the resource group. * means all resource groups. This option is exclusive with the --file and --resource-group-id options.

--resource-group-id

ID of the resource group. * means all resource groups. This option is exclusive with the --file and --resource-group-name options.

--account-management (optional)

Give access to all account management services.

--attributes name=value,name=value...

Set resource attributes in the form of 'name=value,name=value....'

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

-f, --force

Update service policy without confirmation.

--api-version

Version of the access policy API.

Examples

Update service policy 140798e2-8ea7db3 from JSON file for service test:

ibmcloud iam service-policy-update test 140798e2-8ea7db3 --file @policy.json

Update service policy 140798e2-8ea7db3 from JSON file for service test:

ibmcloud iam service-policy-update test 140798e2-8ea7db3 --file @policy.json

Update service policy 140798e2-8ea7db3 to grant service test the Administrator role for all account management services:

ibmcloud iam service-policy-update test 140798e2-8ea7db3 --roles Administrator --account-management

Update service policy 140798e2-8ea7db3 to grant service test the Viewer role for all resources in account:

ibmcloud iam service-policy-update test 140798e2-8ea7db3 --roles Viewer

Update the service policy 140798e2-8ea7db3 to grant service test the Viewer role and a custom role Responder for all sample service instances in the account:

ibmcloud iam service-policy-update test 140798e2-8ea7db3 --roles Viewer,Responder --service-name sample

Update service policy 140798e2-8ea7db3 to grant service test the Viewer role for service is resources with attribute instanceId equal to *:

ibmcloud iam service-policy-update test 140798e2-8ea7db3 --roles Viewer --service-name is --attributes "instanceId=*"

Command options

SERVICE_ID (required)

Name or UUID of service ID.

POLICY_ID (required)

ID of the service policy.

-f, --force

Delete without confirmation.

-q, --quiet

Suppress verbose output.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

--api-version

Version of the access policy API.

Examples

Delete policy 140798e2-8ea7db3 of service test:

ibmcloud iam service-policy-delete test 140798e2-8ea7db3

Delete policy 140798e2-8ea7db3 of service ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976:

ibmcloud iam service-policy-delete ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976 140798e2-8ea7db3

Command options

--resource-type

Resource type of the service. '--service' must be set along with this option.

--roles ROLE_NAME1,ROLE_NAME2...

Show details of specific roles

--service SERVICE_NAME

Name of the service. Only list platform-defined roles if not specified.

--source-service

Name of the service. Only list platform-defined roles if not specified. This option does not support private endpoints.

Examples

List platform default access roles and custom roles:

ibmcloud iam roles

List details of platform default access policy roles Administrator, Operator:

ibmcloud iam roles --roles Administrator,Operator

List details of access policy role Writer of cloud-object-storage service in JSON format:

ibmcloud iam roles --service cloud-object-storage --roles Writer --output JSON

List access policy roles for all account management service in JSON:

ibmcloud iam roles --service allacctmgmtroles --output JSON

List details of resource group access policy role Administrator:

ibmcloud iam roles --service resource-controller --roles Administrator

List details of access policy roles of resource type image of service is:

ibmcloud iam roles --service is --resource-type image

List authorization roles for source service cloud-object-storage and target service kms:

ibmcloud iam roles --source-service cloud-object-storage --service kms

Command options

--display-name DISPLAY_NAME

The display name of the role that is shown in the console.

--service-name SERVICE_NAME

The name of the service.

-a, --actions ROLE_ACTION1,ROLE_ACTION2...

The actions of the role. For more information, see IAM roles and actions.

-d, --description DESCRIPTION

The description of the role.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

Examples

Create a role to perform any Cloudant database action:

ibmcloud iam role-create CloudDBAdmin --display-name "Cloudant DB Administrator" --service-name cloudantnosqldb --actions cloudantnosqldb.db.any

Create a role for read-only access to Certificate Manager by using multiple role actions:

ibmcloud iam role-create ReadonlyCertManager --display-name "Readonly Certificate Manager" --service-name cloudcerts --actions cloudcerts.certificate-metadata.read,cloudcerts.notifications-channel.list

Create a role to view toolchain dashboards and return the role in JSON format:

ibmcloud iam role-create PreviewCDCI --display-name "Preview Toolchains" --service-name toolchain --actions toolchain.dashboard.view --output JSON

Create a role that has a description:

ibmcloud iam role-create ServiceIDCreator --display-name "Service ID Creator" --service-name iam-identity --actions iam-identity.serviceid.create --description "Can only create service keys"

Command options

-t, --type ACCESS_POLICY_TYPE

List all access policies under the current account filtered by policy type. Valid options are: user | service_id | access_group | trusted_profile

--sort-by ATTRIBUTE

Sort the policies based on attributes. Valid options are: id | type | href | created_at | created_by_id | last_modified_at | last_modified_by_id | state. Prepend a minus (for example, -id, -type) for reverse sorting.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

--api-version

Version of the access policy API.

Examples

List all access policies under the current account:

ibmcloud iam access-policies

List all user access policies under the current account:

ibmcloud iam access-policies --type user

List all service ID access policies under the current account:

ibmcloud iam access-policies --type service_id

List all access group access policies under the current account:

ibmcloud iam access-policies --type access_group

List all trusted profile access policies under the current account:

ibmcloud iam access-policies --type trusted_profile

List all trusted profile access policies that are sorted by created_at in ascending order under the current account:

ibmcloud iam access-policies --type trusted_profile --sort-by created_at

List all trusted user policies that are sorted by last_modified_at in descending order under the current account:

ibmcloud iam access-policies --type user --sort-by -last_modified_at

Command options

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

Examples

Show access policy template AccessPolicyUserTemplate

ibmcloud iam access-policy-template AccessPolicyUserTemplate

Command options

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

Examples

List all access policy template under current account

ibmcloud iam access-policy-templates

Command options

--file JSON_FILE

JSON file of access policy template definition

-q, --quiet

Suppress verbose output.

Examples

Create an access policy template

imcloud iam access-policy-template-create --file /path/to/access_policy_template.json

Command options

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

Examples

Show version 1 of access policy template AccessPolicyUserTemplate

ibmcloud iam access-policy-template-version AccessPolicyUserTemplate 1

Command options

--file JSON_FILE

JSON file of access policy template definition

-q, --quiet

Suppress verbose output.

Examples

Create a new version for access policy template AccessPolicyUserTemplate

ibmcloud iam access-policy-template-version-create AccessPolicyUserTemplate --file /path/to/access_policy_template.json

Command options

--file JSON_FILE

JSON file of access policy template definition

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

Examples

Update version 1 of access policy template AccessPolicyUserTemplate

ibmcloud iam access-policy-template-version-create AccessPolicyUserTemplate 1 --file /path/to/access_policy_template.json

Command options

-f, --force

Force deletion without confirmation.

-q, --quiet

Suppress verbose output.

Examples

Delete version 2 of access policy template AccessPolicyUserTemplate

ibmcloud iam access-policy-template-version-delete AccessPolicyUserTemplate 2

Command options

-q, --quiet

Suppress verbose output.

Examples

Commit version 1 of access policy template AccessPolicyUserTemplate

ibmcloud iam access-policy-template-version-commit AccessPolicyUserTemplate 1

Command options

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

Examples

Show access policy assignment AccessPolicyAssignment-adee40a7f8324d6fbcd4c4a67b326eb5

ibmcloud iam access-policy-assignment AccessPolicyAssignment-adee40a7f8324d6fbcd4c4a67b326eb5

Command options

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

Examples

List all access policy template assignments under current account

ibmcloud iam access-policy-assignments

Command options

-t, --type access | auth

List all policies under current account filtered by policy type. Valid options are: access | auth

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

--api-version

Version of the access policy API.

Examples

List all account policies under current account:

ibmcloud iam account-policies

List all authorization policies under current account. Provides the same list as ibmcloud iam authorization-policies:

ibmcloud iam account-policies -t auth

List all access policies under current account. Provides the same list as ibmcloud iam access-policies:

ibmcloud iam account-policies -t access

Command options

SOURCE_SERVICE_NAME

The source service that can be authorized to access. To find the service's name, run the ibmcloud catalog service-marketplace command.

TARGET_SERVICE_NAME

The target service that the source service can be authorized to access. To find the service's name, run the ibmcloud catalog service-marketplace command.

ROLE_NAME1,ROLE_NAME2...

The roles that provide access for the source service.

--source-service-instance-name SOURCE_SERVICE_INSTANCE_NAME

Source service instance name, mutually exclusive with --source-service-instance-id and --source-service-account. If source service instance is not specified, all instances of the source service are authorized to access.

--source-service-instance-id SOURCE_SERVICE_INSTANCE_ID

Source service instance ID, mutually exclusive with --source-service-instance-name. If not specified, all instances of the source service are authorized to access.

--source-service-account ACCOUNT_GUID

Account GUID of source service, mutually exclusive with --source-service-instance-name. Use this option if source service is from another account.

--source-resource-group-id RESOURCE_GROUP_ID

Source resource group ID, mutually exclusive with '--source-service-instance-id'.

--source-resource-type

Resource type of source service.

--source-resource

Resource of source service. --target-service-instance-name TARGET_SERVICE_INSTANCE_NAME

Target service instance name, mutually exclusive with --target-service-instance-id. If not specified, all instances of the target service are authorized to access.

--target-service-instance-id TARGET_SERVICE_INSTANCE_ID

Target service instance ID, mutually exclusive with --target-service-instance-name. If not specified, all instances of the target service are authorized to access.

--target-resource-group-id RESOURCE_GROUP_ID

Target resource group ID, mutually exclusive with '--target-service-instance-id'.

--target-resource-type

Resource type of target service.

--target-resource

Resource of target service.

--file FILE

JSON file of policy definition.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

Currently, some combination of --source-service and --service might fail under private endpoints. Use --file as a workaround, or you can create the policy from public endpoints or the UI console.

Command options

AUTHORIZATION_POLICY_ID

ID of authorization policy to be deleted.

-f, --force

Delete without confirmation.

Command options

AUTHORIZATION_POLICY_ID

ID of authorization policy to show.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

--api-version

Version of the access policy API.

Command options

-u

List access groups the user belongs to. This option is exclusive to '-s' and '-p'.

-s

List access groups the service ID belongs to. This option is exclusive to '-u' and '-p'.

-p

List access groups the trusted profile belongs to. This option is exclusive to '-s' and '-u'.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

Examples

List all access groups:

ibmcloud iam access-groups

List all access groups the trusted profile test_profile belongs to:

ibmcloud iam access-groups -p test_profile

Command options

-id

Show the ID only.

Examples

Show details of access group example_group:

ibmcloud iam access-group example_group

Command options

-d, --description

Description of access group.

Examples

Create an access group example_group:

ibmcloud iam access-group-create example_group -d "example access group"

Command options

-n, --name

New access group name.

-d, --description

New description.

-f, --force

Force update without confirmation.

Examples

Rename access group example_group to hello_world_group:

ibmcloud iam access-group-update example_group --name "hello_world_group"

Command options

-f, --force

Force deletion without confirmation.

-r, --recursive

Delete an access group and its members.

-a, --all

Force to delete access groups with the same name.

Examples

Delete access group example_group:

ibmcloud iam access-group-delete example_group --force

Examples

List all users in access group example_group:

ibmcloud iam access-group-users example_group

Examples

Add user name@example.com to access group example_group:

ibmcloud iam access-group-user-add example_group name@example.com

Examples

Remove user name@example.com from access group example_group:

ibmcloud iam access-group-user-remove example_group name@example.com

Command options

-f, --force

Delete without confirmation.

Examples

Remove user name@example.com from all access groups:

ibmcloud iam access-group-user-purge name@example.com -f

Examples

List all service IDs in access group example_group:

ibmcloud iam access-group-service-ids example_group

Examples

Add service ID example-service to access group example_group:

ibmcloud iam access-group-service-id-add example_group example-service

Examples

Remove service ID example-service from access group example_group:

ibmcloud iam access-group-service-id-remove example_group example-service

Command options

-f, --force

Delete without confirmation.

Examples

Remove service ID example-service from all access groups:

ibmcloud iam access-group-service-id-purge example --force

Command options

GROUP_NAME (required)

Name of the access group.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

Examples

List all trusted profiles in access group example_group:

ibmcloud iam access-group-trusted-profiles example_group

Command options

GROUP_NAME (required)

The name of the access group.

PROFILE_NAME | PROFILE_ID (required)

The names or IDs of the trusted profiles to add to the access group.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

Examples

Add a trusted profile my-profile to access group example_group:

ibmcloud iam access-group-trusted-profile-add example_group my-profile

Command options

GROUP_NAME (required)

Name of the access group.

PROFILE_NAME | PROFILE_ID (required)

Name or ID of the trusted profile to remove from the access group.

-f, --force

Remove without confirmation.

-q, --quiet

Suppress verbose output.

Examples

Remove trusted profile my-profile from access group example_group:

ibmcloud iam access-group-trusted-profile-remove example_group my-profile

Command options

PROFILE_NAME | PROFILE_ID (required)

Name or ID of the trusted profile to remove from all access groups.

-f, --force

Purge without confirmation.

-q, --quiet

Suppress verbose output.

Examples

Remove trusted profile my-profile from all access groups:

ibmcloud iam access-group-trusted-profile-purge my-profile

Command options

GROUP_NAME

Name of the access group.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

--api-version

Version of the access policy API.

Examples

List all policies of access group example_group:

ibmcloud iam access-group-policies example_group

Command options

GROUP_NAME

Name of the access group.

POLICY_ID

The ID of the policy to retrieve.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

--api-version

Version of the access policy API.

Examples

Show details of the policy 51b9717e-76b0-4f6a-bda7-b8132431f926 of access group example_group:

ibmcloud iam access-group-policy example_group 51b9717e-76b0-4f6a-bda7-b8132431f926

Command options

--file

JSON file of policy definition. You can use advanced operators in a JSON policy document to grant access to resources that satisfy specific naming conventions. For more information about using advanced operators to create wildcard policies, see Assigning access by using wildcard policies.

-roles

Role names of the policy definition. For supported roles of a specific service, run ibmcloud iam roles --service SERVICE_NAME. This option is exclusive with the --file option.

-service-name

Service name of the policy definition. This option is exclusive with the --file option.

-service-instance SERVICE_INSTANCE_GUID

GUID of service instance of the policy definition. This option is exclusive with the --file option.

-region

Region of the policy definition. This option is exclusive with the --file option.

-resource-type

Resource type of the policy definition. This option is exclusive with the --file option.

-resource

Resource of the policy definition. This option is exclusive with the --file option.

-resource-group-name

Name of the resource group. * means all resource groups. This option is exclusive with the --file and --resource-group-id option.

-resource-group-id

ID of the resource group. * means all resource groups. This option is exclusive with the --file and --resource-group-name option.

-tags

Access tags of the resource. Use tags to organize, track usage costs, or manage access to your resources. For more information on tags, see Working with tags.

--account-management

Give access to all account management services.

--attributes name=value,name=value...

Set resource attributes in the form of 'name=value,name=value....'

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

--api-version

Version of the access policy API.

Examples

Create an access group policy from a JSON file:

ibmcloud iam access-group-policy-create example_group -f @policy.json

Give example_group Administrator role for all sample-service resources:

ibmcloud iam access-group-policy-create example_group --roles Administrator --service-name sample-service

Give example_group Editor role and a custom role Responder for all instances of sample-service in us-south region:

ibmcloud iam access-group-policy-create example_group --roles Editor,Responder --service-name sample-service --region us-south

Give example_group Editor role for resource key123 of sample-service instance with GUID d161aeea-fd02-40f8-a487-df1998bd69a9 in us-south region:

ibmcloud iam access-group-policy-create example_group --roles Editor --service-name sample-service --service-instance d161aeea-fd02-40f8-a487-df1998bd69a9 --region us-south --resource-type key --resource key123

Give example_group Operator role for resource group with ID dda27e49d2a1efca58083a01dfde18f6:

ibmcloud iam access-group-policy-create example_group --roles Operator --resource-type resource-group --resource dda27e49d2a1efca58083a01dfde18f6

Give example_group Viewer role for the members of the resource group sample-resource-group:

ibmcloud iam access-group-policy-create example_group --roles Viewer --resource-group-name sample-resource-group

Give example_group Viewer role for the members of the resource group with ID dda27e49d2a1efca58083a01dfde18f6:

ibmcloud iam access-group-policy-create example_group --roles Viewer --resource-group-id dda27e49d2a1efca58083a01dfde18f6

Give example_group Administrator role for all account management services:

ibmcloud iam access-group-policy-create example_group --roles Administrator --account-management

Give example_group Viewer role for all resources in account:

ibmcloud iam access-group-policy-create example_group --roles Viewer

Give example_group Viewer role for service is resources with attribute instanceId equal to *:

ibmcloud iam access-group-policy-create example_group --roles Viewer --service-name is --attributes "instanceId=*"

Create access tags for the resource:

ibmcloud iam access-group-policy-create --tags env:dev,env:test

Command options

--file

JSON file of policy definitions.

--roles

Role names of the policy definition. For supported roles of a specific service, run ibmcloud iam roles --service SERVICE_NAME. This option is exclusive with the --file option.

-service-name

Service name of the policy definition. This option is exclusive with the --file option.

-service-instance SERVICE_INSTANCE_GUID

GUID of service instance of the policy definition. This option is exclusive with the --file option.

-region

Region of the policy definition. This option is exclusive with the --file option.

-resource-type

Resource type of the policy definition. This option is exclusive with the --file option.

-resource

Resource of the policy definition. This option is exclusive with the --file option.

-resource-group-name

Name of the resource group. * means all resource groups. This option is exclusive with the --file and --resource-group-id option.

-resource-group-id

ID of the resource group. * means all resource groups. This option is exclusive with the --file and --resource-group-name option.

--account-management (optional)

Give access to all account management services.

--attributes name=value,name=value...

Set resource attributes in the form of 'name=value,name=value....'

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

--api-version

Version of the access policy API.

Examples

Update the access group policy b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 with the one in policy JSON file:

ibmcloud iam access-group-policy-update example_group b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 -f @policy.json

Update access group policy b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 to give example_group Administrator role for all sample-service resources:

ibmcloud iam access-group-policy-update example_group b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 --roles Administrator --service-name sample-service

Update access group policy b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 to give example_group Editor role and a custom role Responder for all instances of sample-service in us-south region:

ibmcloud iam access-group-policy-update example_group --roles Editor,Responder --service-name sample-service --region us-south

Update access group policy b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 to give example_group Editor role for resource key123 of sample-service instance with GUID d161aeea-fd02-40f8-a487-df1998bd69a9 in us-south region:

ibmcloud iam access-group-policy-update example_group --roles Editor --service-name sample-service --service-instance d161aeea-fd02-40f8-a487-df1998bd69a9 --region us-south

Update access group policy b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 to give example_group Operator role for resource group with ID dda27e49d2a1efca58083a01dfde18f6:

ibmcloud iam access-group-policy-update example_group b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 --roles Operator --resource-type resource-group --resource dda27e49d2a1efca58083a01dfde18f6

Update access group policy b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 to give example_group Viewer role for members of the resource group sample-resource-group:

ibmcloud iam access-group-policy-update example_group b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 --roles Viewer --resource-group-name sample-resource-group
```bash
{: codeblock}

Update access group policy `b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4` to give `example_group` `Viewer` role for members of resource group with ID `dda27e49d2a1efca58083a01dfde18f6`:
```bash {: codeblock}
ibmcloud iam access-group-policy-update example_group b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 --roles Viewer --resource-group-id dda27e49d2a1efca58083a01dfde18f6

Update access group policy b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 to give example_group Administrator role for all account management services:

ibmcloud iam access-group-policy-update example_group b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 --roles Administrator --account-management

Update access group policy b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 to give example_group Viewer role for all resources in the account:

ibmcloud iam access-group-policy-update example_group b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 --roles Viewer

Update access group policy b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 to give example_group Viewer role for service is resources with attribute instanceId equal to *:

ibmcloud iam access-group-policy-update example_group b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 --roles Viewer --service-name is --attributes "instanceId=*"

Command options

--api-version

Version of the access policy API.

-f, --force

Force deletion without confirmation.

-q, --quiet

Suppress verbose output.

Examples

Delete policy 51b9717e-76b0-4f6a-bda7-b8132431f926 of access group example_group:

ibmcloud iam access-group-policy-delete example_group 51b9717e-76b0-4f6a-bda7-b8132431f926 -f

Command options

--access-group-name NAME

Access group name to create for the template

-d, --description DESCRIPTION

Description of the template

--file FILE

Description of the template

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

Examples

Create an access group template with specified name and access group name

ibmcloud iam access-group-template-create example-template-name --access-group-name example-access-group -d example-description

Create an access group template by using a JSON file

ibmcloud iam access-group-template-create --file JSON_FILE

Command options

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

Examples

Show details of an access group template in JSON format

ibmcloud iam access-group-template --output JSON

Command options

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

Examples

Show details of a specified version of an access group template in JSON format

ibmcloud iam access-group-template-version example-template-name 1 --output JSON

Command options

-q, --quiet

Suppress verbose output.

Examples

Commit a specified version of an access group template

ibmcloud iam access-group-template-version-commit example-template-id 1

Command options

--file FILE

Description of the template

-q, --quiet

Suppress verbose output.

Examples

Create a new version of an access group template

ibmcloud iam access-group-template-version-create example-template-id --file JSON_FILE

Command options

-q, --quiet

Suppress verbose output.

Examples

Delete a specified version of an access group template

ibmcloud iam access-group-template-version-delete example-template-id 1

Command options

--file FILE

Description of the template

-q, --quiet

Suppress verbose output.

Examples

Update a specified version of an access group template with a JSON file

ibmcloud iam access-group-template-version-update example-template-name 1 --file JSON_FILE

Command options

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

Examples

List all versions of an access group template

ibmcloud iam access-group-template-versions example-template-name

Command options

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

Examples

List all access group templates under current account in JSON format

ibmcloud iam access-group-template-versions example-template-name --output JSON

Command options

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

Examples

Show details of an access group assignment in JSON format

ibmcloud iam access-group-assignments --output JSON

Command options

--target value

ID of the entity targeted --target-type value

Type of entity targeted -q, --quiet

Suppress verbose output

Examples

Show details of an access group assignment in JSON format

ibmcloud iam access-group-assignment-create example-template-id 1 --target-type Account --target example-account-id

Command options

-q, --quiet

Suppress verbose output

Examples

Delete a specified access group assignment

ibmcloud iam access-group-assignment-delete example-assignment-id

Command options

-q, --quiet

Suppress verbose output

Examples

Update a specified access group assignment

ibmcloud iam access-group-assignment-update example-assignment-id

Command options

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

Examples

List all access group assignments under current account in JSON format

ibmcloud iam access-group-assignments --output JSON

Command options

NAME (required)

Name of the new profile.

-d, --description DESCRIPTION

Description of the profile.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

Examples

Create a trusted profile with name sample-test and description "sample trusted profile":

ibmcloud iam trusted-profile-create sample-test -d "sample trusted profile"

Command options

NAME|ID (required)

Name or ID of the profile.

--id

Show the ID of the profile only.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

Examples

Retrieve trusted profile with name sample-test:

ibmcloud iam trusted-profile sample-test

Retrieve trusted profile with profile ID Profile-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976:

ibmcloud iam trusted-profile Profile-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976

Command options

--can-assume

Show profiles that can be assumed with the current account only.

--id

Show ID of profiles only.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

Examples

List ID of all trusted profiles under current account:

ibmcloud iam trusted-profiles --id

List trusted profiles that can be assumed with the current account:

ibmcloud iam trusted-profiles --can-assume

Command options

NAME|ID

The name or ID of the profile to assume. --output FORMAT

The specified output format. Only 'JSON' is supported. -q, --quiet

Suppress verbose output.

Examples

Assume a trusted profile with name sample-test:

ibmcloud iam trusted-profile-assume sample-test

View the currently assumed trusted profile:

ibmcloud iam trusted-profile-assume

Command options

-q, --quiet

Suppress verbose output.

Examples

Leave a trusted profile previously assumed:

ibmcloud iam trusted-profile-leave

Command options

NAME|ID (required)

Name or ID of the profile to update.

-n, --name NEW_NAME

New name of the trusted profile.

-d, --description NEW_DESCRIPTION

New description of the profile. Providing an empty description clears the description of the profile.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-f, --force

Force failure if multiple profiles are found.

-q, --quiet

Suppress verbose output.

Examples

Update trusted profile with name sample-test to new name of test:

ibmcloud iam trusted-profile-update sample-test -n test

Update trusted profile sample-test with new description of testing trusted profile update:

ibmcloud iam trusted-profile-update sample-test -d "testing trusted profile update"

Command options

NAME|ID (required)

Name or ID of the profile to delete.

-f, --force

Delete a trusted profile without confirmation.

-q, --quiet

Suppress verbose output.

Examples

Delete trusted profile with name sample-test:

ibmcloud iam trusted-profile-delete sample-test

Command options

NAME|ID (required)

The name or ID of the profile to assign the new policy to

--account-management

Give access to all account management services.

--api-version

Version of the access policy API.

--attributes name=value,name-value...

Set resource attributes in the form of 'name=value,name=value....'

--file JSON_FILE

JSON file of policy definition.

-f, --force

Force failure if multiple profiles are found.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

--region REGION

Region of the policy definition. This option is exclusive with '--file'. For supported regions, run 'ibmcloud regions'.

--resource RESOURCE

Resource of the policy definition. This option is exclusive with '--file'.

--resource-group-id RESOURCE_GROUP_ID

ID of the resource group. '*' means all resource groups. This option is exclusive with '--file' and '--resource-group-name'.

--resource-group-name RESOURCE_GROUP_NAME

Name of the resource group. '*' means all resource groups. This option is exclusive with '--file' and '--resource-group-id'.

--resource-type RESOURCE_TYPE

Resource type of the policy definition. This option is exclusive with '--file'.

--roles ROLE_NAME1,ROLE_NAME2...

Role names of the policy definition. For supported roles of a specific service, run 'ibmcloud iam roles --service SERVICE_NAME'. This option is exclusive with '--file'.

-q, --quiet

Suppress verbose output.

--service-instance SERVICE_INSTANCE_GUID

GUID of service instance of the policy definition. This option is exclusive with '--file'.

--service-name SERVICE_NAME

Service name of the policy definition. This option is exclusive with '--file'.

--tags name1:value1,name2:value2...

Access tags of the resource.

Examples

Create a trusted profile policy for my-profile from a JSON file:

iam trusted-profile-policy-create my-profile --file policy.json

Give my-profile Viewer role for the members of resource group sample-resource-group:

iam trusted-profile-policy-create my-profile --roles Viewer --resource-group-id sample-resource-group

Give my-profile Viewer role for all resources in account:

iam trusted-profile-policy-create my-profile --roles Viewer

Command options

NAME|ID (required)

Name or ID of the profile.

POLICY_ID (required)

The ID of the policy to retrieve.

-f, --force

Force failure if multiple profiles are found.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

--api-version

Version of the access policy API.

Examples

Get policy bdf62c30-35dd-4852-bcb8-2f0dd3929701 of trusted profile my-profile:

ibmcloud iam trusted-profile-policy my-profile bdf62c30-35dd-4852-bcb8-2f0dd3929701

Command options

NAME|ID (required)

Name or ID of the profile.

-f, --force

Force failure if multiple profiles are found.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

--api-version

Version of the access policy API.

Examples

List all policies of trusted profile ID Profile-bdf62c30-35dd-4852-bcb8-2f0dd3929701:

ibmcloud iam trusted-profile-policies Profile-bdf62c30-35dd-4852-bcb8-2f0dd3929701

Command options

NAME|ID (required)

The name or ID of the profile to assign the new policy to update.

POLICY_ID (required)

The ID of the policy to update.

--account-management

Give access to all account management services.

--attributes name=value,name-value...

Set resource attributes in the form of 'name=value,name=value....'

--file JSON_FILE

JSON file of policy definition.

-f, --force

Force failure if multiple profiles are found.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

--region REGION

Region of the policy definition. This option is exclusive with '--file'. For supported regions, run 'ibmcloud regions'.

--resource RESOURCE

Resource of the policy definition. This option is exclusive with '--file'.

--resource-group-id RESOURCE_GROUP_ID

ID of the resource group. '*' means all resource groups. This option is exclusive with '--file' and '--resource-group-name'.

--resource-group-name RESOURCE_GROUP_NAME

Name of the resource group. '*' means all resource groups. This option is exclusive with '--file' and '--resource-group-id'.

--resource-type RESOURCE_TYPE

Resource type of the policy definition. This option is exclusive with '--file'.

--roles ROLE_NAME1,ROLE_NAME2...

Role names of the policy definition. For supported roles of a specific service, run 'ibmcloud iam roles --service SERVICE_NAME'. This option is exclusive with '--file'.

--service-instance SERVICE_INSTANCE_GUID

GUID of service instance of the policy definition. This option is exclusive with '--file'.

--service-name SERVICE_NAME

Service name of the policy definition. This option is exclusive with '--file'.

--tags name1:value1,name2:value2...

Access tags of the resource.

-q, --quiet

Suppress verbose output.

--api-version

Version of the access policy API.

Examples

Update policy 85f3a4d6-c2e1-417e-b2d5-7199d610c160 to give trusted profile my-profile Administrator role for all account management services:

ibmcloud iam trusted-profile-policy-update my-profile 85f3a4d6-c2e1-417e-b2d5-7199d610c160 --roles Administrator --account-management

Update policy bdf62c30-35dd-4852-bcb8-2f0dd3929701 from my-profile with contents in JSON file:

ibmcloud iam trusted-profile-policy-update my-profile bdf62c30-35dd-4852-bcb8-2f0dd3929701 --file @policy.json

Command options

NAME|ID (required)

The name or ID of the profile that contains the policy to delete.

POLICY_ID (required)

The ID of the policy to delete.

-f, --force

Delete access policy without confirmation.

-q, --quiet

Suppress verbose output.

--api-version

Version of the access policy API.

Examples

Delete policy ID bdf62c30-35dd-4852-bcb8-2f0dd3929701 from my-profile without confirmation:

ibmcloud iam trusted-profile-policy-delete my-profile bdf62c30-35dd-4852-bcb8-2f0dd3929701 -f

Command options

NAME|ID (required)

The name or ID of the profile to link the compute resource to.

--name

The name for the link.

--cr-type (required)

The compute resource type. VSI for Virtual Service Instance on VPC, IKS_SA for Service Accounts on Kubernetes clusters, or ROKS_SA for managed Red Hat OpenShift.

--link-crn (required)

CRN of the VSI instance / cluster instance.

--link-namespace

Namespace of the service account for IKS_SA or ROKS_SA, required if IKS_SA or ROKS_SA.

--link-name

Name of the service account for IKS_SA or ROKS_SA, required if IKS_SA or ROKS_SA.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-f, --force

Force failure if multiple profiles are found.

-q, --quiet

Suppress verbose output.

Examples

Create a link named my_link for trusted profile my-profile for an IKS_SA compute resource with service account name default, default namespace, and my_compute_resource_crn CRN:

ibmcloud iam trusted-profile-link-create my_profile --name my_link --cr-type IKS_SA --link-name default  --link-namespace default --link-crn my_compute_resource_crn

Create a link that is named my_link for trusted profile ID Profile-bdf62c30-35dd-4852-bcb8-2f0dd3929701 for an IKS_SA compute resource with service account name default in the namespace my_namespace and with a CRN of my_resource_crn:

ibmcloud iam trusted-profile-link-create Profile-bdf62c30-35dd-4852-bcb8-2f0dd3929701 --name my_link --cr-type IKS_SA --link-name default --link-namespace my_namespace --link-crn my_resource_crn

Create a link named my_link for trusted profile ID Profile-bdf62c30-35dd-4852-bcb8-2f0dd3929701 for a VSI compute resource with a CRN of my_resource_crn:

ibmcloud iam trusted-profile-link-create Profile-bdf62c30-35dd-4852-bcb8-2f0dd3929701 --name my_link --cr-type VSI --link-crn my_resource_crn

Command options

NAME|ID (required)

The name or ID of the trusted profile to retrieve links.

--id

Show ID of links only.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-f, --force

Force failure if multiple profiles are found.

-q, --quiet

Suppress verbose output.

Examples

Display the ID of all links in the trusted profile my-profile:

ibmcloud iam trusted-profile-links my-profile --id

Display all of the links in the trusted profile my-profile in JSON format:

ibmcloud iam trusted-profile-links my-profile --output JSON

Command options

NAME|ID (required)

The name or ID of the profile that contains the link to delete.

LINK_NAME|LINK_ID (required)

Name or ID of the link to delete.

-f, --force

Force deletion without confirmation.

-q, --quiet

Suppress verbose output.

Examples

Delete the link my_link from trusted profile my-profile without confirmation:

ibmcloud iam trusted-profile-link-delete my-profile my_link -f

Command options

NAME|ID (required)

Name or ID of the trusted profile.

IDENTITY_IDENTIFIER|IDENTITY_ID (required)

Identifier or ID of the Identity to retrieve.

--id-type (required)

The type of identifier to retrieve for the trusted profile. USER for a user IAM ID, SERVICEID for a service ID, or CRN for a service CRN

--id

Show ID of the identity only.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

Command options

NAME|ID (required)

Name or ID of the trusted profile.

--id-type

The type of identifiers to retrieve for the trusted profile. USER for a user IAM ID, SERVICEID for a service ID, or CRN for a service CRN

--id

Show the ID of the identities only.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-f, --force

Force a failure if multiple profiles are found.

-q, --quiet

Suppress verbose output.

Command options

NAME|ID (required)

The name or ID of the profile to connect the identity to.

--id (required)

ID for the identity.

--id-type (required)

The type of identifier to connect to the trusted profile. USER for a user IAM ID, SERVICEID for a service ID, or CRN for a service CRN

--description DESCRIPTION

Optional description for the connection to the trusted profile

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

Command options

NAME|ID (required)

The name or ID of the profile to disconnect the identity from.

IDENTITY_IDENTIFIER|IDENTITY_ID (required)

Identifier or ID of the Identity to disconnect.

--id-type (required)

The type of identifier to disconnect from the trusted profile. USER for a user IAM ID, SERVICEID for a service ID, or CRN for a service CRN

-f, --force

Force deletion without confirmation.

-q, --quiet

Suppress verbose output.

Command options

NAME|ID (required)

Name or ID of the profile to create a rule for.

--type (required)

'Profile-SAML' for a SAML rule or 'Profile-CR' for a compute resource rule

--conditions (required)

List of conditions, provided as a comma-separated list of triple values "claim:CLAIM,operator:OPERATOR,value:VALUE". To specify multiple conditions, specify the flag multiple times --conditions "claim:CLAIM1,operator:OPERATOR1,value:VALUE1" --conditions "claim:CLAIM2,operator:OPERATOR2,value:VALUE2".

--expiration

Specify an expiration in seconds for SAML rules. Must not be provided for trusts that are established to Compute Resources (type = Profile-CR).

--name

Name for the rule.

--cr-type

The compute resource type that the rule applies to is required only if type is specified as 'Profile-CR'. Values are VSI for Virtual Service Instance on VPC, IKS_SA for Service Accounts on Kubernetes clusters, or ROKS_SA for managed Red Hat OpenShift.

--realm-name

The issuer ID for trusts established via IBMid with federation, or appid:// for trusts established by using App ID federation. Must not be provided for trusts that are established to Compute Resources (type = Profile-CR).

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-f, --force

Force failure if multiple profiles are found.

-q, --quiet

Suppress verbose output.

Examples

Create a Profile-SAML rule with rule name my-rule, realm name set to https://w3id.sso.ibm.com/auth/sps/samlidp2/saml20, expiration set to 1200 seconds for trusted profile my-profile with the rule conditions: cn EQUALS my_user

ibmcloud iam trusted-profile-rule-create my-profile --name my-rule --type Profile-SAML --conditions claim:cn,operator:EQUALS,value:my_user --realm-name https://w3id.sso.ibm.com/auth/sps/samlidp2/saml20 --expiration 1200

Create a Profile-SAML rule with realm name set to https://w3id.sso.ibm.com/auth/sps/samlidp2/saml20 and expiration set to 1200 seconds for trusted profile my-profile with the rule conditions: cn EQUALS my_user and blueGroups NOT_EQUALS jaas_master

ibmcloud iam trusted-profile-rule-create my-profile --type Profile-SAML --conditions claim:cn,operator:EQUALS,value:my_user --conditions claim:blueGroups,operator:NOT_EQUALS,value:jaas_master --realm-name https://w3id.sso.ibm.com/auth/sps/samlidp2/saml20 --expiration 1200

Create a Profile-CR rule with rule name my-rule, compute resource type IKS_SA, and with the rule conditions: namespace EQUALS default and crn EQUALS crn:test:bluemix:public:containers-kubernetes:us-south:a/test::

ibmcloud iam trusted-profile-rule-create my-profile --name my-rule --type Profile-CR --conditions claim:namespace,operator:EQUALS,value:default --conditions claim:crn,operator:EQUALS,value:crn:test:bluemix:public:containers-kubernetes:us-south:a/test:: --cr-type IKS_SA

Command options

NAME|ID (required)

Name or ID of the trusted profile to retrieve rules for.

--output FORMAT.

Specify the output format. Only 'JSON' is supported.

-f, --force

Force failure if multiple profiles are found.

-q, --quiet

Suppress verbose output.

Examples

Display all rules in the trusted profile my-profile:

ibmcloud iam trusted-profile-rules my-profile

Command options

NAME|ID (required)

The name or ID of the trusted profile to update a rule for.

RULE_NAME|RULE_ID (required)

The name or ID of the rule to update.

--type

'Profile-SAML' for a SAML rule or 'Profile-CR' for a compute resource rule.

--conditions

List of conditions, provided as a comma-separated list of triple values "claim:CLAIM,operator:OPERATOR,value:VALUE". To specify multiple conditions, specify the flag multiple times --conditions "claim:CLAIM1,operator:OPERATOR1,value:VALUE1" --conditions "claim:CLAIM2,operator:OPERATOR2,value:VALUE2".

--cr-type

The compute resource type that the rule applies to is required only if type is specified as 'Profile-CR'. Values are VSI for Virtual Service Instance on VPC, IKS_SA for Service Accounts on Kubernetes clusters, or ROKS_SA for managed Red Hat OpenShift.

--expiration

Specify an expiration in seconds for SAML rules. Must not be provided for trusts that are established to Compute Resources (type = Profile-CR).

--name

New name for the rule.

--realm-name

Issuer Id for trusts established via IBMid with federation, or appid:// for trusts established via App ID federation. Must not be provided for trusts that are established to Compute Resources (type = Profile-CR).

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-f, --force

Force failure if multiple rules are found.

-q, --quiet

Suppress verbose output.

Examples

Update rule ClaimRule-test-id in profile my-profile with new name test-rule:

ibmcloud iam trusted-profile-rule-update my-profile ClaimRule-test-id --name test-rule

Update Profile-SAML rule my-rule in profile my-profile with new realm name https://www.example.org/my-nice-idp:

ibmcloud iam trusted-profile-rule-update my-profile my-rule --realm-name https://www.example.org/my-nice-idp

Update rule conditions and expiration time for Profile-SAML rule ClaimRule-a448e998-311f-4e23-8af8-66b855c5da11 in profile my-profile:

ibmcloud iam trusted-profile-rule-update my-profile ClaimRule-a448e998-311f-4e23-8af8-66b855c5da11 --conditions claim:cn,operator:EQUALS,value:my_user --expiration 1200

Update rule conditions and compute resource type for Profile-CR rule ClaimRule-cb8e3a2c-2d16-422b-b691-8791355b53bc in profile my-profile:

ibmcloud iam trusted-profile-rule-update my-profile ClaimRule-cb8e3a2c-2d16-422b-b691-8791355b53bc --conditions claim:crn,operator:EQUALS,value:crn:v1:bluemix:public:containers-redhat:us-south:a/test:: --cr-type ROKS_SA

Command options

NAME|ID (required)

The name or ID of the profile that contains the rule to delete.

RULE_NAME|RULE_ID (required)

The name or ID of the rule to delete.

-f, --force

Force deletion without confirmation.

-q, --quiet

Suppress verbose output.

Examples

Delete rule my-rule from trusted profile my-profile without confirmation:

ibmcloud iam trusted-profile-rule-delete my-profile my-rule -f

Command options

-q, --quiet

Suppress verbose output.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

Examples

List trusted profile templates in table format

ibmcloud iam trusted-profile-templates

Command options

--file JSON_FILE

JSON file of the template definition

Examples

List details of a specified version of a trusted profile template

ibmcloud iam trusted-profile-template-version example-template-name 1

Command options

-q, --quiet

Suppress verbose output.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

Command options

Examples

Commit a specified version of a trusted profile template

ibmcloud iam trusted-profile-template-version-commit example-template-name 1

-q, --quiet

Suppress verbose output.

Command options

-q, --quiet

Suppress verbose output.

--file JSON_FILE

JSON file of the template definition.

Examples

Create a new version of a specified template from a JSON file

ibmcloud iam trusted-profile-template-version-create example-template-name --file JSON_FILE

Command options

-q, --quiet

Suppress verbose output.

Examples

Delete a specified version of a trusted profile template

ibmcloud iam trusted-profile-template-version-delete example-template-name 1

Command options

-q, --quiet

Suppress verbose output.

--file JSON_FILE

JSON file of the template definition.

Examples

Update a specified version of a trusted profile template with a JSON file

ibmcloud iam trusted-profile-template-version-update example-template-name 1 --file JSON_FILE

Command options

-q, --quiet

Suppress verbose output.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

Examples

List all versions of a trusted profile template in JSON format

ibmcloud iam trusted-profile-template-versions --output JSON

Command options

-q, --quiet

Suppress verbose output.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

Examples

Show details of a trusted profile assignment in JSON format

ibmcloud iam trusted-profile-assignment example-assignment-id --output JSON

Command options

-q, --quiet

Suppress verbose output.

--target TARGET

ID of the entity targeted

--target-type TYPE

Type of entity targeted

Examples

Create a trusted profile assignment in a specified target account

ibmcloud iam trusted-profile-assignment-create example-template-id 1 --target-type Account --target example-account-id

Command options

-q, --quiet

Suppress verbose output.

Examples

Create a trusted profile assignment in a specified target account

ibmcloud iam trusted-profile-assignment-create example-template-id 1 --target-type Account --target example-account-id

Command options

-q, --quiet

Suppress verbose output.

Examples

Update a trusted profile assignment

ibmcloud iam trusted-profile-assignment-update example-template-id 1

Command options

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

Examples

List all trusted profile assignments in current account in JSON format

ibmcloud iam trusted-profile-assignments --output JSON

Command options

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

Command options

--restrict-create-service-id RESTRICTION_SETTING

The restriction level on Service ID creation (one of RESTRICTED, NOT_RESTRICTED, or NOT_SET).

--restrict-create-platform-apikey RESTRICTION_SETTING

The restriction level on API Key creation (one of RESTRICTED, NOT_RESTRICTED, or NOT_SET).

--allowed-ip-addresses ADDRESS_LIST

The IP addresses and subnets from which IAM tokens can be created (the default is "").

--unset-allowed-ip-addresses

Clear all IP address restrictions

--session-expiration-in-seconds SECONDS_EXP

The number of seconds after which the session expires (can also be NOT_SET, which resets the value to default).

--session-invalidation-in-seconds SECONDS_INV

The number of seconds of inactivity after which a session is invalidated (can also be "NOT_SET", which resets the value to default).

--max-sessions-per-identity SESSIONS_MAX

The maximum number of sessions per identity on the account (can also be NOT_SET, which resets the value to default).

--mfa MFA

The type of MFA on the account (one of NONE, TOTP, TOTP4ALL, LEVEL1, LEVEL2, or LEVEL3).

--output FORMAT

Specify the output format. Only 'JSON' is supported.

-q, --quiet

Suppress verbose output.

Examples

Update the multi-factor authentication setting of an account to LEVEL3:

ibmcloud iam account-settings-update --mfa LEVEL3

Update the number of seconds after which a session expires to default (with NOT_SET):

ibmcloud iam account-settings-update --session-expiration-in-seconds NOT_SET

Command options

-q, --quiet

Suppress verbose output.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

Examples

Show details for account settings template AccountSettingsEditorTemplate

ibmcloud iam account-settings-template AccountSettingsEditorTemplate

Command options

-q, --quiet

Suppress verbose output.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

Examples

List account settings templates on your current account

ibmcloud iam account-settings-templates

Command options

-d , --description DESCRIPTION

Description of the template

--file JSON_FILE

JSON file of the template definition

-q, --quiet

Suppress verbose output.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

Examples

Create an account settings template on your current account

ibmcloud iam account-settings-template-create AccountSettingsEditorTemplate --fie /path/to/account_settings_template.json

Command options

-q, --quiet

Suppress verbose output.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

Examples

Show version 1 of account settings template AccountSettingsEditorTemplate

ibmcloud iam account-settings-template-create AccountSettingsEditorTemplate 1

Command options

-q, --quiet

Suppress verbose output.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

Examples

List versions of account settings template AccountSettingsEditorTemplate

ibmcloud iam account-settings-template-versions AccountSettingsEditorTemplate

Command options

--file JSON_FILE

JSON file of account settings template definition

-q, --quiet

Suppress verbose output.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

Examples

Create a new version of the account settings template AccountSettingsEditorTemplate

ibmcloud iam account-settings-template-version-create AccountSettingsEditorTemplate --file /path/to/account_settings_template.json

Command options

-d value, --description DESCRIPTION

Description of the template

--file JSON_FILE

JSON file of template definition

-q, --quiet

Suppress verbose output.

Examples

Update version 1 of account settings template AccountSettingsEditorTemplate

ibmcloud iam account-settings-template-version-update AccountSettingsEditorTemplate 1 --file /path/to/account_settings_template.json

Command options

-q, --quiet

Suppress verbose output.

Examples

Delete version 2 of account settings template AccountSettingsEditorTemplate

ibmcloud iam account-settings-template-delete AccountSettingsEditorTemplate 2

Command options

-q, --quiet

Suppress verbose output.

Examples

Commit version 1 of account settings template AccountSettingsEditorTemplate

ibmcloud iam account-settings-template-version-commit AccountSettingsEditorTemplate 1

Command options

-q, --quiet

Suppress verbose output.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

Examples

List assignments in current account

ibmcloud iam account-settings-assignments

Command options

-q, --quiet

Suppress verbose output.

--output FORMAT

Specify the output format. Only 'JSON' is supported.

Examples

Get account settings assignment AccountSettingsAssignment-7c4345c7f2cb4c75a9f29b68fc1e1e88

ibmcloud iam account-settings-assignment AccountSettingsAssignment-7c4345c7f2cb4c75a9f29b68fc1e1e88

Command options

-q, --quiet

Suppress verbose output.

Examples

Assign account settings template to account

ibmcloud iam account-settings-assignment-create TemplateTest 1 Account f7fc6938256e46e1a25ee09e14ca9c20

Assign account settings template to account group

ibmcloud iam account-settings-assignment-create TemplateTest 1 AccountGroup 955fc2274567474f8da802d5c376504b

Command options

-q, --quiet

Suppress verbose output.

Examples

Update account settings assignment AccountSettingsAssignment-63d65ed159ff463b8ec09ea77d22a05b to a template version 2

ibmcloud iam account-settings-assignment-update AccountSettingsAssignment-63d65ed159ff463b8ec09ea77d22a05b 2

Command options

-q, --quiet

Suppress verbose output.

Examples

Delete account settings assignment AccountSettingsAssignment-63d65ed159ff463b8ec09ea77d22a05b

ibmcloud iam account-settings-assignment-delete AccountSettingsAssignment-63d65ed159ff463b8ec09ea77d22a05b